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Abstract: Due to the Internet’s explosive growth, network security is now a major concern; as a 
result, tracking network traffic is essential for a variety of uses, including improving system efficiency, 
fixing bugs in the network, and keeping sensitive data secure. Firewalls are a crucial component 
of enterprise-wide security architectures because they protect individual networks from intrusion. 
The efficiency of a firewall can be negatively impacted by issues with its design, configuration, 
monitoring, and administration. Recent firewall security methods do not have the rigor to manage 
the vagueness that comes with filtering packets from the exterior. Knowledge representation and 
reasoning are two areas where fuzzy Petri nets (FPNs) receive extensive usage as a modeling tool. 
Despite their widespread success, FPNs’ limitations in the security engineering field stem from the 
fact that it is difficult to represent different kinds of uncertainty. This article details the construction 
of a novel packet-filtering firewall model that addresses the limitations of current FPN-based filtering 
methods. The primary contribution is to employ Simplified Neutrosophic Petri nets (SNPNs) as a 
tool for modeling discrete event systems in the area of firewall packet filtering that are characterized 
by imprecise knowledge. Because of SNPNs’ symbolic ability, the packet filtration model can be 
quickly and easily established, examined, enhanced, and maintained. Based on the idea that the 
ambiguity of a packet’s movement can be described by if-then fuzzy production rules realized by the 
truth-membership function, the indeterminacy-membership function, and the falsity-membership 
functional, we adopt the neutrosophic logic for modelling PN transition objects. In addition, we 
simulate the dynamic behavior of the tracking system in light of the ambiguity inherent in packet 
filtering by presenting a two-level filtering method to improve the ranking of the filtering rules list. 
Results from experiments on a local area network back up the efficacy of the proposed method and 
illustrate how it can increase the firewall’s susceptibility to threats posed by network traffic. 


Keywords: security engineering; intelligent firewall; neutrosophic Petri net; packet filtering; access 
control list 


1. Introduction 


The goal of security engineering is to ensure that a system can function reliably even 
if it is subjected to an attack, whether intentional or accidental. Whole systems may be 
designed, implemented, and tested, and existing systems can be modified to suit changing 
conditions by using the techniques and procedures studied in this field [1,2]. Cryptography, 
computer security, tamper-resistant hardware, formal techniques, economics, applied 
psychology, organizational knowledge, and the law are just a few of the many fields of 
study that contribute to successful security engineering. Business process analysis, software 
engineering, assessment, and testing are all components of system engineering that should 
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not be overlooked, but they alone are not enough since they focus on accidents rather than 
malicious intent. In order to create secure software systems, security engineering must 
become a standard component of the software development process [1-4]. 

Security of the internal network against attacks, fraudulent traffic, and unauthorized 
access is becoming more important as computer technology and the usage of computer 
networks continue to grow. Given the importance of firewalls to overall network security, 
firewall technology has grown to become a significant focus of network security studies. 
When two or more networks need to communicate with one another securely, they may 
utilize a firewall, which is a system of hardware and software used to enforce a certain 
policy about security. A firewall, in its most basic form, is a protective barrier that is placed 
between an internal network and an external network to regulate traffic and connections. 
Network administration security policy dictates the criteria for approving or rejecting 
connections and service requests [5,6]. 

Many functions can be carried out by a firewall system, including the definition 
of a single choke point that prevents unauthorized users from accessing the protected 
network; services that may compromise the network’s security are prevented from entering 
or departing; and security event monitoring infrastructure with built-in audits and alerts. 
In addition, virtual private networks (VPNs) and IP security may be set up and deployed 
via this platform [7]. The firewall has several drawbacks, however, such as not being able to 
prevent attacks that bypass it, not providing foolproof security against malicious insiders, 
and allowing unauthorized users to access an unprotected wireless network. In general, 
the complexity and needs of firewall design and maintenance are rising as the Internet 
continues to expand and attacks become more sophisticated [8-10]. 

The type of firewall varies from packet filtering and circuit level to a proxy service [11- 
13]. The most secure type of firewall is proxies, or application-level firewalls, which are 
CPU-intensive and have a considerable performance penalty. The penalty is incurred 
because every time a user initiates a new session, a new process must be launched. These 
application-layer firewalls are protocol-specific and operate at the application layer. The 
circuit-level firewall is another type of firewall that works at the session layer and provides a 
more complete type of protection. For TCP connections, these firewalls serve as relays. They 
monitor the handshake between packets to determine if a requested session is legitimate 
and finish the TCP connection handshake on behalf of the host behind them. Circuit- 
level firewalls are often less expensive than other types of firewalls. Due to more general 
concerns about filtering the packets, many packets may go undetected when using this 
kind of filtering [11]. 

A packet-filtering firewall is the first line of defense for every network. It analyzes each 
packet’s header and passes those packets in accordance with the filter’s rules provided in 
the access control list (ACL). It is a fundamental part of any network monitoring tool since 
it operates at the network layer. Since applications are unimportant in this type of firewall, 
individual packets are the main focus. The protocol field, source IP, source port, destination 
IP, destination port, TCP flags, ICMP type, and ICMP code are the most frequently utilized 
header fields for classifying packets [14,15]. Since it runs on low-level devices, a packet- 
filtering firewall is seen as less secure than its competitors. Packet filtering’s main flaw 
is that it mostly relies on the packets themselves to accurately report their origin and 
destination. Most existing packet filtering algorithms simply consider the properties of 
the filtering rules rather than the traffic behavior in order to optimize their performance, 
despite the fact that network traffic includes a huge number of events and a lot of important 
information [11,16,17]. This is the paper’s major issue, and our approach offers a way to 
address it. 

As firewalls must filter all traffic entering and leaving the entire network, they must be 
capable of supporting a large volume of traffic, or they will become a bottleneck. Matching 
packets at a firewall may be thought of as a challenge of pinpointing location. In order 
to locate the first matching rule in a firewall, each packet’s fields (dimensions) must be 
compared to all of the rules. Considering the wide variety of packets, the number and 
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variety of filtering rules used to examine them might be overwhelming. Most rules are 
blind to the traffic characteristics of these packets; hence, there is room for improvement 
in the effectiveness of filtering and threat identification. As a result, there has been a shift 
towards providing methods and utilities that can handle ambiguity in packet filtering 
scenarios, ultimately aiming to build an intelligent firewall whose actions can adjust to the 
dynamic nature of networks and available computing resources [10,18]. 

Fuzzy logic has become a crucial way of handling ambiguity and working with poorly 
specified or undefined systems. The degree of certainty or ambiguity with which an 
element belongs to a set is quantified by fuzzy logic. Significant gains may be achieved 
by integrating fuzzy logic control strategies into current firewall technology. Several 
researchers use a fuzzy control strategy to enhance existing firewall architectures [19,20]. 
Neutrosophic logic was employed in recent studies as a usable extension of fuzzy logic. 
Beyond the ideas of fuzzy logic, the issue of indeterminacy is extensively considered in 
neutrosophic logic. The neutrosophic set, with its third component of indeterminacy, may 
be able to capture this ambiguity and provide realistic outcomes [21]. Under the um- 
umbrella of neutrosophic reasoning, it is possible to make the firewall’s behavior flexible to 
increase operating systems’ resilience to attacks by considering not only the contents of 
network packets but also connection status information to make filtering decisions. 

Petri nets are a graphical depiction of discrete event systems that may be used as a 
mathematical description tool. Petri nets have been the subject of a significant amount of 
research and have seen widespread application because of their notable benefits, which 
include asynchronous events, conflicts, and resource sharing [22-24]. The mapping of 
Business Process Modelling Notation (BPMN) components into Petri nets is shown in 
Figure 1. However, fuzzy data applied to complicated systems with uncertainty is beyond 
the capabilities of Petri nets. This shortcoming is addressed by integrating fuzzy sets into 
Petri nets, leading to the creation of anew knowledge model known as Fuzzy Petri Nets 
(FPNs), which are typically used when modeling information or knowledge with no well- 
defined measurements [25,26]. In recent years, FPNs have been the subject of substantial 
study by academics and have found widespread use in a variety of sectors, including fault 
diagnostics, sequence control, flexible manufacturing systems, and risk prediction [27]. 
FPNs consist of places, transitions, and directed arcs that represent propositions, fuzzy 
production rules, and connections between places and transitions, respectively; see [25] for 
more details. 
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Figure 1. Mapping of Business Process Modeling Notation (BPMN) elements into Petri nets. 
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It is important to highlight that FPNs and their versions (e.g., interval type-2 FPNs) 
are powerless to deal with complex applications due to the existence of indeterminate and 
inconsistent information and the limitations of the knowledge reasoning operators [25-27]. 
Domain specialists are more likely to assign one of three distinct membership degrees—truth, 
indeterminacy, or falsity—to convey cognition or experienced knowledge because of the 
complexity and uncertainty of the practical applications. Simplified neutrosophic sets 
(SNSs) are more adaptable to uncertainty and cognitive variations in knowledge representa- 
tion because of the independence of the three membership types of SNSs. Thus, Simplified 
Neutrosophic Petri nets (SNPNs) are used with SNS as a novel kind of FPN for knowledge 
representation. It is easier to manage uncertainty and inconsistency using a knowledge 
representation and reasoning (KRR) paradigm such as this [28]. 


Contribution 


In this research, we provide a novel packet filtering model for firewalls that makes 
use of the traffic behavior of incoming packets to evaluate the external risk and improve 
the firewall’s packet filtering process. Using the SNPN concept as a strategy to manage 
uncertainty and inconsistent states improves the firewall’s efficiency and performance by 
allowing it to handle a wider range of packet types, which in turn improves the firewall’s 
ability to detect and prevent malicious activity. This is the first attempt to use SNPNs in 
the formation of firewall rule sets that describe the operation of firewall technologies. The 
ability to theoretically describe, simulate, and analyze firewall packet filtering systems is 
greatly facilitated by SNPNs. Moreover, when comparing the generalized net technique to 
the neutrosophic Petri net approach that was used, one drawback becomes apparent: the 
former struggles to effectively express various forms of uncertainty. The definition of the 
neutrosophic Petri net is characterized by its simplicity, as well as its straightforward algo- 
rithm for functioning. This feature facilitates the streamlined development of simulation 
models [24,26-35]. 

The remainder of the paper is structured as follows: Recent relevant works are dis- 
cussed in Section 2. Section 3 provides a comprehensive description of the suggested model. 
Discussions and simulation results for the syntactic dataset are presented in Section 4. 
Section 5 concludes the paper with results and implications. 


2. State of the Art 


Firewalls are divided into two types in the academic literature [36]: (1) static and 
dynamic firewalls. An administrator establishes and maintains all policies on a static 
firewall. The rules do not evolve in response to new information or circumstances. Rules 
in a dynamic firewall may be toggled on or off as needed. Time and traffic conditions are 
two examples that may inform such regulations. A dynamic firewall, for instance, may 
add malicious IP addresses to a blacklist in response to a distributed denial-of-service 
(DDoS) attack. (2) Stateful and stateless firewalls: A stateless firewall does not keep any 
logs of connections. These are limited to acting exclusively on the basis of the information 
contained in the IP packet and the previously stated rules. A stateful firewall may remember 
past events and keep track of currently open connections. The firewall may then make 
better choices based on this information. If a request was made from an internal client to 
an external server, the stateful firewall would record this and then let the incoming packet 
from the server through since it was part of an established connection. Alternatively, the 
firewall would reject the incoming reply as malicious if it came from an external server 
without a matching outbound request [11,14]. 

There have been multiple efforts to advance packet filtering firewall technology for the 
sake of improving factors such as network safety, efficiency, and service quality. In order to 
filter packets, a rule designer must first develop a set of criteria against which to check and 
match incoming data. Since packets and rules may vary and evolve over time, this seems to 
be the primary filtering challenge [11,37—43]. In Ref. [44], the authors presented a thorough 
overview of deep packet inspection and other forms of packet analysis used in network 
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forensics, as well as a study of packet analysis, approaches driven by artificial intelligence 
that can classify and identify complex patterns in network traffic. In this article, we take 
a look at the capabilities of packet analyzer software and hardware appliances from the 
point of view of their possible use in network forensics. 

For software-defined networks (SDNs), the authors in [45] developed a firewall that 
takes applications into account. The firewall’s core module works in tandem with sub- 
modules that perform packet filtering, application recognition, and security enforcement. 
The system monitored data transfer at the network, transport, and application layers and 
then pushed down protective measures. The research described in [46] primarily focused 
on real-time packet filtering technologies to restrict service access only to authorized users. 
The distinctive, enhanced packet marking approach stops the flow of unknown packets at 
their source, giving users a more manageable wait time before they can begin using the 
service. In this task, the authors used the NS3 simulator and the Ethereum Blockchain 
platform to replicate their work. In accordance with the concept of the packet marking 
approach, after discarding the unknown flooding of packets, the incoming traffic constitutes 
90% of the real traffic flow of packets to the blockchain network. 

In Ref. [47], a novel strategy was suggested for IP packet filtering by fusing two data 
structures into a single one that is optimized for IP packet filtering in terms of speed, 
scalability, and flexibility (including dynamic access to filters and the ability to conduct 
an approximate membership query). In experiments, the suggested technique achieved 
a throughput of 10.8 Mbps/s with good filtering accuracy and minimal memory needs, 
even while processing large filter sets (up to 1 GB). The inefficient use of search space and 
data storage are two problems plaguing current approaches to packet filtering algorithms. 
In Ref. [48], the authors offer a fireworks-based method for packet filtering that gets over 
these limitations. Sparks from the fireworks are used by the so-called fireworks-based 
packet filtering (FWPF) algorithm to determine which rule in the firewall rule set best fits 
the incoming packet. When compared to other current packet filtering algorithms, FWPF 
has the benefit of a smaller search area, which speeds up the discovery process. 

In Ref. [49], the authors provided a workable technique for network access control list 
(ACL) matching trie, which improves the efficiency of the multi-bit stride extension. To 
test their approach, they created synthetic ACLs to mimic real-world campus networks 
and Internet backbone restrictions. They also demonstrated that the issue of slow data 
structure construction times inherent in prior-art data structure-based filtering algorithms 
is addressed by this new approach. In Ref. [50], the authors compared the efficiency of 
the cuckoo hash table and the Bloom filter for classifying packets, both of which have 
practical uses in packet filtering and, more specifically, in legal interception systems. The 
data plane development kit includes these techniques as part of its library, in addition to 
making it possible to conduct rapid packet capture using commodity hardware. The cuckoo 
hash table is an accurate classification approach, whereas the Bloom filter is a probabilistic 
method that uses less space but may produce false positives, making it more suitable 
for use in performance-critical applications. The performance advantages of utilizing a 
probabilistic technique are weighed against its downsides by comparing the execution time 
and memory requirements of the two approaches. 

In Ref. [51], the authors discussed the extended Berkley packet filter (eBPF) platform, 
which enables code to be dynamically loaded into the Linux kernel. Accelerating network- 
ing by letting the kernel handle certain packets without help from a user-space programmer. 
Recently, eBPF has only been used for basic packet filtering functions such as firewalls 
and DDoS protection. They demonstrated that it is possible to create a machine-learning- 
based, flow-based network intrusion detection system solely in eBPF. Their approach uses 
a decision tree to assess whether or not a packet is malicious, taking the whole context of 
the network flow into consideration. A speed increase of nearly 19% was realized when 
comparing this method to its implementation as a user-space programmer. 

Unexpected blocking is a common problem when employing firewall technology to 
stop network traffic. The primary reason for this is that, with the widespread adoption 
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of virtual hosts, a single IP address will serve as the host for several domain names. As 
a solution, the research described in [52] suggested using Server Name Indication (SNI) 
data to implement traffic blocking. To begin, a Linux kernel module is built using the 
infrastructure of net filtering and IP tables. Second, HTTPS communication takes advantage 
of the Transport Layer Security (TLS) protocol’s unencrypted SNI information to prevent 
domain name traffic. Finally, the Linux kernel is set up to accept batch writes of domain 
name sets in accordance with the rules of certain IP tables. Their approach can be used to 
build up domain names and domain name traffic-blocking rules in IP tables. 

In Ref. [53], the authors recommended a passive model for detecting anomalies in con- 
tainer networks. The model is based on eBPF technology, which collects process granularity 
data in the Linux kernel in a non-intrusive manner to obtain network performance data at 
the granularity of containers, which is then combined with machine learning classification 
techniques to determine if the container’s network performance is abnormal. In order to 
provide automated detection and defense against synchronized sequence numbers (SYN) 
flood attacks, the authors in [54] developed a system architecture based on the eXpress Data 
Path (XDP) and the extended Berkeley Packet Filter (eBPF). Data on the rate of SYN request 
connections per unit time per IP address and the rate of server retransmission SYN request 
connections can be extracted by studying the SYN Flood attack’s underlying principle and 
using eBPF to monitor the attack process in the Linux kernel’s network protocol stack. The 
abnormal connection IP address is identified by sending the indicator data corresponding 
to each IP address to the detection algorithm for analysis and source tracing. Herein, XDP 
is utilized to protect against malicious connection IPs. 

A smart packet filter powered by artificial intelligence is required since current solu- 
tions take too long to process incoming packets. The research published in [55] used an 
ensemble model (smart learner) on a maximum 11-depth random forest. Using the stacked 
K-gold cross-validation method, the model achieves an average accuracy of 99.76%. Parti- 
tioning and converting rule sets for hybrid packet processing are described by the authors 
in [56]. HyPaFilter+ was suggested as a solution. It is a hybrid classification system that uti- 
lizes both a hardware matcher implemented on a Field Programmable Gate Array (FPGA) 
and a software netfilter firewall implemented in Linux, resulting in a straightforward and 
efficient mechanism for switching packets between the two. Throughput improvements of 
up to 30 times were seen in comparison to software-based packet processing. 

In Ref. [57], the authors presented a deep packet: a deep learning-based approach 
that combines feature extraction and classification into a single system capable of traffic 
characterization (wherein the traffic on a network is divided into broad categories) and 
application identification (wherein the applications used by end users are searched out). 
Deep Packet, in contrast to most existing approaches, can detect VPN and non-VPN network 
traffic, as well as identify encrypted communication. In order to categorize packets, the 
Deep Packet Framework uses a pair of different kinds of deep neural networks: stacked 
autoencoders (SAEs) and convolutional neural networks (CNNs). Their tests showed that 
Deep Packet performs best when using CNN as its classification model, with recalls of 0.98 
and 0.94, respectively, for the application identification and traffic categorization tasks. 

In Ref. [58], the authors suggested using a new cache-based reconnaissance approach 
to penetrate Linux-based firewalls that were virtualized. Because of the capability of 
source spoofing, this method increases stealth against intrusion detection. In addition, 
it facilitates the deduction of several filtering rules. Using just a small sample size of 
packets, this approach was able to infer the firewall rules with an accuracy of over 90% 
during an experiment conducted on the open-source router and firewall platform (VyOS). 
In addition, they demonstrated remedies to prevent cache-based attacks on virtualized 
network functions. In Ref. [59], the authors create a blacklist packet filter for WSNs that is 
based on the blockchain and has collaborative intrusion detection. A strong blacklist for 
limiting unwanted traffic is constructed with the use of blockchain technology. Using a 
real-world dataset and a realistic WSN environment, they analyzed how well their filter 
performed. The results showed that the proposed filter may strengthen blacklist creation. 
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Packet Filtering 
Firewall Systems 


The authors in [60] developed an effective firewall that makes use of a packet catego- 
rization algorithm based on a Learned Cuckoo Filter (LCF) to reduce the method’s impact 
on the network. The search approach used by this algorithm is hierarchical. By using the 
machine learning model as a pre-filter before the cuckoo filter, the algorithm is able to re- 
duce memory requirements and boost speed by avoiding the needless search for rules in the 
subsequent step. Extensive simulations confirmed the presented design’s advantages with 
regard to false positive rate, memory usage, and memory access. In Ref. [61], a simulation 
model was presented for measuring the effectiveness of different filtering rules in a firewall. 
Different simulation model settings and network traffic behavior scenarios were used to 
assess the method’s efficacy in establishing a filtering rule set. Table 1 summarizes the 
major categories that recent packet filtering firewall systems follow from the perspective of 
their strengths and limitations. 


Table 1. Summary of state-of-the-art packet filtering firewall systems. 


Approach 


Strengths 


Limitations 


Deep packet inspection 
[44—-46,55-57] 


Study of packet analysis 
approaches driven by 
artificial intelligence. 


1. Easy to install. 

2. Faster than other firewall 
technologies because they 
perform fewer evaluations. 


1. Difficulty in setting up packet 
filtering rules for the router. 

2. There is not any sort of 
user-based authentication. 


Cuckoo filter-based IP 
packet filtering [47,50,60] 


Fusing two data structures 
into a single one that is 
optimized for IP packet 
filtering in terms of speed, 
scalability, and flexibility. 


1. Packet filters make use of 
current network routers. 

2. Makes security transparent 
to end-users. 


1. Difficulty in setting up packet 
filtering rules for the router. 

2. There is not any sort of 
user-based authentication. 


A Fireworks-Based 


Sparks from the fireworks are 
used to determine which rule 


1. Ease of use. 


1. User restriction. 
2. Malware attack. 


Approach [48,49] in the firewall rule set best fits 2. Cost effective. 3. Difficulty in updating ACL. 
the incoming packet. 
Uses a decisions 13 etal : 1. Packet filters do not understand 
: whether or not a packet is 1. Packet filters make use of ae 
Berkley packet filter application layer protocols. 


platform [51,53,54] 


malicious, taking the whole 
context of the network flow 
into consideration. 


current network routers. 
2. Cost effective. 


2. Packet-filtering routers are not 
very secure. 


Blacklist packet filter for 
WSNs [59] 


A strong blacklist for limiting 
unwanted traffic is 
constructed with the use of 
blockchain technology. 


Research Gap 


1. Promotes privacy 
and security. 
2. Monitors network traffic. 


1. Lack of logging capabilities. 

2. Challenging setup. 

3. New rules may need to be 
added if an employee needs 
special requirements to connect to 
the internet. 


We think there are many unexplored opportunities in the field of intelligence firewalls 
despite the numerous different packet filtering approaches now in use. This study intro- 
duces a novel model for intelligent packet filtering, one that takes advantage of SNPN’s 
capabilities to create a double-tiered filtering architecture. With the help of risk levels, the 
first layer of packet filtering is able to recognize malicious packets and prevent them, while 
the second layer aims to boost filtering performance based on the rating of accepted and 
rejected packets. For fuzzy knowledge representation and reasoning, the SNPN theory 
provides tools for dealing with imprecise and ambiguous packets’ information. In fact, 
the SNPN model’s implementation enables the use of essential features such as testing 
for correctness, circular rules, consistency, and completeness. To represent the experience 
and knowledge of subject matter experts, independent truth, indeterminacy, and falsity 
membership functions define SNPNs. 
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3. Methodology 


In order to effectively secure networks, firewalls must meet two competing require- 
ments [62]: (1) They must be able to classify network packets at line speed. To avoid 
the firewall from becoming a bottleneck for network access, what throughput, maximum 
simultaneous connections, connections per second, and latency criteria must be satisfied for 
both current and future traffic needs; (2) They must be able to process packets in a variety 
of ways to accommodate varying filtering policies. Packet-filtering routers have restricted 
access to data. While packets know their host, they do not know who is using them. Asa 
result, it is impossible to place limitations on certain users. High-level protocols provide 
for control over which users have access to the ports. To guarantee that no one else is using 
that port, these methods lock it down. 

Systems constructed on special-purpose hardware are quick but restricted in their 
filtering capabilities, and unfortunately, most present classification systems do not satisfy 
both needs equally well. While software filters offer robust matching semantics, they often 
fall short when it comes to line speed. This justifies combining a slower but more flexible 
software firewall with faster but more sophisticated specialized hardware. The benefits 
of packet filtering firewalls as a network security solution are their low complexity, low 
cost, high speed, low resource consumption, predictability, and determinism. However, 
it has drawbacks, such as being ineffective against modern attacks, being vulnerable to 
spoofing, being unable to make decisions based on application or authentication, and rule 
lists growing too large to manage [63]. Existing packet classification methods still have 
issues with poor classification performance and huge storage space despite the fact that a 
lot of research has been conducted in this field. 

The suggested model uses SNPNs as a visual representation of neutrosophic logic- 
based firewall packet management. Theoretically, the computing capability of PNs, FPNs, 
and SNPNs is the same; nevertheless, SNPNs have much greater modeling power because 
of their superior structural facilities. For any PN object (transition, place, or arc), neu- 
trosophic logic may be used to construct logical expressions and functions. Specifically, 
we use the truth-membership function, the indeterminacy-membership function, and the 
falsity-membership function to describe the uncertainty in a packet’s movement, a concept 
borrowed from neutrosophic logic for modelling PN transition objects. 

To filter Internet traffic, neutrosophic logic was used at two levels: first, to evaluate the 
potential threat posed by incoming packets from the Internet; and second, to reorganize 
the access control list (ACL) by assigning acceptance and rejection ratings to each packet. 
ACLs are often established by the network administrator, who determines the permissions 
granted to various users and network resources based on a predetermined set of rules 
designed to achieve a number of security goals [64,65]. For simplicity, the suggested model 
relies on standard ACL (see Figure 2); for further information on the various types of ACL, 
the reader can refer to Ref. [64]. The packet’s acceptance or rejection from the network’s 
perspective depends on the rule set of access control lists. Packet filters are responsible 
for sorting data packets into predetermined categories. Table 2 displays an example of a 
typical access control list, which includes multiple filtering criteria. In general, the rules 
are evaluated in a top-down fashion. Figure 3 shows the high-level data flow diagram 
representing the two-level neutrosophic packet filtering system developed here, which 
offers superior filtering performance from a security perspective. Below, we have laid out 
all the steps involved in the proposed model in detail. 


Table 2. An example of ACL. 


Destination Source Destination Protocol : 
No Source IP IP Port Port Type Action 
R1 203.117.102.15 193.170.92.3 * = ICMP Allow 
R2 203.117.175.6 193.170.75.7 = = UDP Allow 
R3 203.117.175.4 193.170.62.29 * ‘ TCP Deny 


* Mean any source/destination port. 
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Figure 3. The proposed 2-level neutrosophic packet filtering model. 
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Formally, an SNPN structure is defined as an 11-tuple [28] 


SNPNs = (P,T,1,O,«, B, M, U, W,T) (1) 
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where 
7 P= {py,po,.0+ +0: , Pm} is a finite set of places; 
= T = {t1,to,...... , ty} is a finite set of transitions; 
= D = {dj,dp,...... ,dy} is a finite set of propositions; 


- [=P-+T is an input incidence matrix, which defines a mapping from places 
to transitions; 

- O =T — P isan output incidence matrix, which defines a mapping from transitions 
to places; 

- «= P- (0, 1] is an association function, which maps places to real values between 0 
and 1; 

- «=P-—+ D isa mapping between places and propositions; 

- M = P + OQ isthe truth values of all places, expressed by the vector M = (01, 02,...., am)! , 
which map from places to simplified neutrosophic number (SNNs); and a; is an SNN. 
The initial marking vector is denoted by Mo; 

= U = T x Pisa vector expressed by U = (p11, flz,..-., Un)*; yj is the certainty factor of 
transition t;; and n is the numbers of transitions. 

- W= Px T assigns a value to each arc between input place and transition, expressed 
by W = [wij] _,,.,, whose element w;; € [0, 1] indicates how much the place p; affects 
the following transition t;, with 7" wij = 1,7 =1,2,....n. 

- T assigns a threshold value A; to each transition, expressed by T = (A1,Az,....,An) 
whose elements take the form of simplified neutrosophic number (SNN). 


An SNN A in U (a finite set of objects) is depicted by three functions including 
the truth-membership function T , (x), indeterminacy-membership function I, (x), and 
falsity-membership function F 4(x), as illustrated in Figure 4 where ar, br, and cr are 
the parameters of the truth-membership function; a), b;, and c; are the parameters of 
indeterminacy membership function; and af, bp, and cr are the parameters of falsity- 
membership function. These parameters will be determined by the proposed framework. 
T a(x), I4(x) and F,4(x) are all the standard subsets of [0, 1]. An SNS can be represented 
by the following [28]: 


A= {(x, Ta(x),Ta(x), Fa(x))|x € U} 2) 


where T(x) € (0, 1], T(x) CG (0, 1], Fa(x) € (0, 1], and 0 < Ta(x) + T(x) + Fa(x) <3. 
InSNPNs, if a transition ¢; € T is enabled (enabling rule), two conditions should be satisfied, 
including (a) the value of place is not negative; (b) the equivalent input value of transition 
is greater than or equal to the threshold value. 


ee a. ee (REF =A Dperreen mn (3) 


a(pjij) is the value of place p;j, and it denotes the truth degree of proposition dj; 
and 6(t) = SNNsHAw (a (pj), a(Pj2), estes a (Pim)) is the input value of a transition t 
calculated by the SNNs hybrid averaging (GNNsHA) operator. The SNNsHA operator can 
not only weigh the SNNs but also weigh their ordered positions. 


n n 


n OOF TUS ; 
SNNsHAw(Aj, A2,..--+- )An) = LwiAt = (1-T] (1 — Tr) ATE TL Fy) @ 
j=l j=1 j j=l “F jot 4 


A; is the j-th largest element of the weighted SNNs (nw1A1,nw2A3,...... ,NWy,A,); the 
weight vector w = (W1,W2,.....,Wn),w € [0, 1] and )"_, w; = 1; and nis the balancing factor. 
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Trigh 


Figure 4. (a) Truth, (b) indeterminacy, and (c) falsity-membership functions. 


3.1. Level 1 Filtering 


In order to mimic and track the packet flow, this level depends on collecting and 
classifying all arriving packets based on the data they contain, such as their IP address, 
packet time, and protocol type. In our framework, a packet is symbolized by a token in 
an SNPN place, and the operation of a packet is demonstrated by an SNPN transition; 
it is responsible for transmitting the packet from one location to another. The packet is 
moved to a place where it is checked and compared to the ACL after being picked up by a 
gate (place). In addition, a copy (replica) of this packet is sent immediately to the traffic 
investigation phase so that parameters (features) may be extracted from it, such as the total 
number of ICMP packets received during the time frame in question. The neutrosophic 
logic engine that generates the risk level relies on these two factors (packet count and time 
period) as inputs. Threats posed by the movement of packets originating from untrusted 
sources are reflected in this risk level. 

Due to its widespread usage by attackers at all stages of system penetration, the 
ICMP protocol is the focus of the proposed framework. Traffic-based attacks such as 
ICMP flood attacks utilize huge demands on servers to disrupt their regular operations. 
In addition, ICMP was exploited for system compromise and utilized as a backdoor by 
attackers in certain cases to communicate with one another (covert channel) [66]. The 
proposed framework is flexible enough to handle attacks using non-TCP protocols, such as 
TCP SYN and UDP Flood. IP packets containing UDP datagrams are sent by an attacker in 
an attempt to overwhelm a target system until it is unable to process legitimate connections, 
a phenomenon known as User Datagram Protocol (UDP) flooding [67]. SYN-Flood attacks 
are distinguished by the attackers’ use of faked source IP addresses in a barrage of TCP 
SYN request packets. This causes the server to use excessive resources to keep track of a 
high number of partially open connections, which might prevent it from providing typical 
services in the long term [68]. 

The number of ICMP echo-request packets P;. and packet arrival time interval P; were 
chosen because they are simple and considered in the majority of attack defense scenarios, 
particularly when we have a significant number of echo requests. For the membership 
grading function (MF) to be usable in the neutrosophic controller in use, feature vector 
measures must be transformed into the range [0, 1] via the Gaussian normalization method. 
When it comes to packet filtering, neutrosophic logic (NL) is perhaps the most effective 
and flexible way of dealing with a mix of measurements that range in uncertainty. NL is 
a theory that permits issues to be addressed using just natural descriptions in language, 
as opposed to only numerical numbers [69-71]. Neutrosophic controllers consist of four 
modules. First, data on all relevant aspects of the process under control are collected. 
Second, we capture the measures’ truth, falsehood, and indeterminacy via neutrosophic set 
membership functions (neutrosophication phase). Third, the neutrosophied measurements 
are used by the inference engine to evaluate the control rules in the neutrosophic rule 
base. The last module of the cycle, known as the de-neutrosophication phase, reduces this 
neutrosophic set to a single (crisp) value that best represents the derived set [72]. 

The goal is to use a neutrosophic model to represent the uncertainty of packet features. 
In this case, we use a neutrosophic controller with two inputs and a single output, defined as 
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f: UC R" —> V — R" where U = U; x Up is the input space and V is the output space. 
The characteristic of Po is described using three neutrosophic variables: low, medium 
(normal), and high; the feature of P; is described using three neutrosophic variables: 
long, medium, and short; and the characteristic of risk level R is described using three 
neutrosophic variables: small, moderate, and large. Their respective triangular membership 
functions are shown in Figure 4 [28]. The corresponding equations are expressed by 
Equations (5)-(13). All of the membership function’s parameters are quantitatively derived 
based on past experiences to assess the impending risk level via packet traffic. 


1, O<x<ar 


=X 


b 
Thow = bap? ap <x <br (5) 


0, otherwise 


X—aT 
br—ar’ aT < x < br 


crT—Xx 


Tinedium = crab’ be axe <tr (6) 


0, otherwise 


x—br 
oop? bee oF 


Thigh = 1. erp sxe (7) 
Ss 
0, otherwise 
aj—-Xx 
Ta, , O<xX <a, 


X—ay 


Tr ee (8) 


Llow = 


0, otherwise 
bik ar <x<b 
bj—ay’ I = I 


—b 
cae bh<x<cy (9) 


I medium = 


0, otherwise 
Ci-x 
cr—b;’ by < x < Cl 
x—C] 


Thigh = 2(1—c))’ Cy < x< 1 (10) 


0, otherwise 
x 
ap’ 0 <x< ar 


b 
Braap? FF SX < de (11) 
0, otherwise 


X—ap 
bp—arp’ aF < x < be 


Cp 


Enedium = cp—bp’ be SX < tp (12) 


0, otherwise 


x—bp 
ce—br’ br < x < CF 
Fhigh = fat, CeS<x<il (13) 


0, otherwise 


In order for the system to infer the risk of the packets, it must first learn the neutro- 
sophic descriptions of the features included inside them. The existence or lack of association 
or interaction between the components of two or more sets is presented as a degree in 
neutrosophic reasoning, which is expressed by a collection of neutrosophic IF-THEN rules. 
In the same manner that people think, the nine rules collectively address the suggested 
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weight allocations. The decision is more reasonable since the neutrosophic inference con- 
siders all nine situations simultaneously. The AND operator is used to obtain a single value 
when more than one part of an antecedent occurs in a rule. When this is carried out, there 
is only one possible value for truth. In this setting, min (minimum) represents the AND 
operator. The following rules, shown in Table 3, govern the application of logic in the 
proposed model. 


Table 3. Neutrosophic logic-based packets’ risk determination: a set of basic rules. 


Rule ICMP-Echo-Rate Py Time Duration P; Risk Level R 
1 High Long Moderate 
2 Medium Long Moderate 
3 Low Long Small 
4 High Short Large 
5 Medium Short Large 
6 Low Short Moderate 
7 High Medium Large 
8 Medium Medium Moderate 
9 Low Medium Moderate 


Next, a crisp value for the variable is calculated by de-neutrosophicating the neutro- 
sophic outputs. Linear trapezoidal neutrosophic numbers may be de-neutrosophicated 
using the same area reduction method as is used for single-valued trapezoidal neutrosophic 
numbers; see Ref. [73] for more details. The initial ACL configuration and writing are the 
responsibility of the network administrator. If a packet matches a rule, that rule triggers an 
action. The actions specify whether the packet should be blocked “deny” or allowed “allow” 
across a certain interface. To improve packet filtering efficiency, the proposed system uses 
the obtainable risk level to adjust the action of ACL rules that, in turn, reflect the valid and 
trustable address list and determine the authentication level of all IP addresses. If the risk 
value is higher than the critical degree (threshold T > 0.75) set by the security administrator, 
the blacklisting rules switch from accept to deny, causing previously accepted packets to be 
dropped, as can be shown in Table 4. In contrast, the white-listing process does not affect 
the risk level beyond a certain threshold. In our case, the default value was determined 
according to preliminary experiments conducted to verify the best value of T to achieve a 
balance between the two goals of classifying network packets at line speed and processing 
packets in various ways to accommodate various filtering policies. 


Table 4. An example of ACL after updating with risk level. 


No Source IP Destination Source Destination Protocol Risk Action 
IP Port Port Type Value 

R1 = .203.117.102.15 193.170.92.3 - " ICMP 0.83 Block 

R2 = _203.117.175.6 193.170.75.7 i * UDP 0.88 Block 

R3—203.117.175.4 193.170.62.29 = . TCP 0.25 Block 


* Mean any source/destination port. 


3.2. Level-2 Filtering 


Each firewall has its own set of packets that it accepts and its own set of packets that it 
rejects. Our solution takes use of this fact to improve packet filtering efficiency by using 
level-2 fuzzy filtering to track the acceptance/rejection rate of packets and reorganize ACL 
rules to reduce the amount of time it takes for rules to be matched. Also, a neutrosophic 
model is used in an effort to represent the uncertainty in the packets acceptance rate R 4 
or packets rejection rate Rr. A neutrosophic controller with only two inputs Ry and Rr 
and one output, calculated rate Rc, is employed here. The characteristics of both Rg and 

Rp are described using three neutrosophic variables: low, medium (normal), and high; 
the characteristic of calculated rate Rc that characterizes the rejection and acceptance rates 
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in packets traffic is described using three neutrosophic variables: high reject, equal, and 
high accept. Their respective triangular membership functions are shown in Figure 4. To 
estimate the packet traffic’s rejection and acceptance rates, all of the membership function’s 
parameters are numerically determined based on experience. The following rules, shown 
in Table 5, are applied to the suggested model approach for reasoning. In the same manner, 
the de-neutrosophicated step is started to generate a crisp value for the variable. Here, if 
Rc = high accept, any rules whose actions include ‘allow’ are shuffled and placed at the 
front of the ACL, giving them the highest priority to run. In contrast, if Rc = high reject, 
the rules that have a ‘block’ action are shifted to the beginning of the ACL, giving them the 
greatest priority to satisfy, while the rules that have a ‘allow’ or ‘block’ action are fixed to 
the end of the ACL. 


Table 5. Neutrosophic logic-based packets’ traffic rate determination: a set of basic rules. 


Rule Acceptance Rate Ry Rejection Rate Rr Calculated Rate Rc 
1 High Low High Accept 
2 High High Equal 
3 High Medium High Accept 
4 Low Low Equal 
5 Low High High Reject 
6 Low Medium High Reject 
7 Medium Low Equal 
8 Medium High High Reject 
9 Medium Medium Equal 


In conclusion, the proposed model can dynamically alter the order of rules to reflect 
their highest priority based on the acceptance and rejection rates of packets, as well as the 
ability to change the rules’ activities in two distinct phases, depending on the risk level of 
the incoming traffic. The suggested packet filtering model is resilient to network traffic 
attacks because it uses neutrosophic logic to deal with the uncertainty associated with 
system variables such as packet risk level and packet acceptance/rejection rate. Expert 
opinions were linked to linguistic factors in the proposed model using a neutrosophic 
method. These linguistic variables reflect the expert opinions more precisely. 


4. Results and Discussions 


The suggested method was implemented in Python for testing purposes. We utilized 
a modular approach to building the model and showed how the hierarchical ideas behind 
SNPNs can be used to integrate several firewall mechanisms into a single, powerful one. 
There are five distinct types of information that may be filtered out: IP address ranges, 
ports, protocols, and source and destination IP addresses. In the current version of the 
suggested model, the fuzzy rules in Tables 3 and 5 are defined according to what was 
presented in related work in Refs. [74-77]. The experiments were conducted on a laptop 
with an X64-based processor and 8 GB of DDR3 memory on an Intel® CoreTM i7-5500 CPU 
running at 2.50 GHz. Standard TCP, UPD, and ICMP protocols were used in the simulation 
to evaluate the proposed firewall packet filtering. The suggested model was tested using 
a variety of settings. We evaluate this model offline by utilizing Network Simulator 11.3 
software (http: //fr.lagache.free.fr/netsim /exemple_filtrage_php?lang=en, accessed on 1 
March 2023). In this case, after we executed the prototype version of our model to build 
the ACL with re-configured rules, these rules were used within the simulator to filter the 
network packets. An evaluation of the suggested method vs. fuzzy and non-fuzzy filtering 
strategies is also provided. What follows is a discussion of the evaluation’s results. 
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4.1. Experiment 1: (Computational Cost) 
- The Aim 


Table 6 compares the time it took for a group of data packets to pass through the 
firewall before and after the firewall rules in the ACL were optimized by rearranging them. 
The purpose is to evaluate the difference in processing times between randomly sequencing 
rules (the traditional firewall packet filtering strategy) and optimally reordering them (our 
suggested model). Our filtering method reorders the filtering fields (actions) from the 
beginning of the ACL. 


Table 6. Computational cost comparison (ms). 


No. of Packets 500 1000 2000 3000 4000 5000 


ACL Random Sequence 40 60 110 200 280 320 
ACL Rearranged Sequence (suggested model) 15 25 35 60 75 90 
- Findings 


According to Table 6, the time it takes for data packets to get through the firewall was 
reduced by around a third after filtering fields were optimized (reordered). More rules lead 
to a more significant outcome in terms of response time. 


- Justification 


The results demonstrate that the suggested algorithm significantly increases the effec- 
tiveness of firewalls by reducing the number of rule comparisons. The results also show 
that the system can handle large rule sets. 


4.2. Experiment 2: (Comparative Study) 
- The Aim 


Experiment 2 compares the suggested approach to non-fuzzy and fuzzy firewall 
filtering methods. In the fuzzy firewall filtering method, fuzzy Petri Net is utilized as a tool 
for modeling discrete event systems characterized by imprecise knowledge. The acceptance 
and rejection rates of the package are the subject of this analysis. In the first scenario, each 
user sends ten legitimate and malicious packets. The firewall will decide what happens 
when the filtering rules detect certain behaviors (reject or allow). We then examined the 
percentage of legitimate packets that were accepted. Tables 7 and 8 provide the results of a 
comparison of the acceptance and rejection rates according to different thresholds T. In 
the second scenario, we examined the rate at which malicious packets were rejected; the 
results are shown in Table 9. 


Table 7. Analyzing the comparative acceptance rate of legitimate packets (average). 


Threshold 0 0.2 0.4 0.6 0.8 1 


Neutrosophic-based filtering 0.94 0.93 0.91 0.90 0.85 0.83 
Fuzzy-based filtering 0.71 0.71 0.67 0.67 0.65 0.56 
Traditional filtering 0.52 0.51 0.38 0.34 0.29 0.15 


Table 8. Analyzing the comparative rejection rate of legitimate packets (average). 


Threshold 0 0.2 0.4 0.6 0.8 1 


Neutrosophic-based filtering 0.06 0.08 0.10 0.12 0.14 0.17 
Fuzzy-based filtering 0.32 0.35 0.39 0.42 0.42 0.42 


Traditional filtering 0.62 0.64 0.65 0.68 0.71 0.83 
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Table 9. Analyzing the comparative rejection rate of malicious packets (average). 
Threshold 0 0.2 0.4 0.6 0.8 1 
Neutrosophic-based filtering 0.97 0.97 0.97 0.92 0.91 0.89 
Fuzzy-based filtering 0.82 0.84 0.84 0.86 0.86 0.87 
Traditional filtering 0.62 0.62 0.64 0.65 0.71 0.78 


- Findings 


According to the results, the suggested model is quite good at identifying legitimate 
packets and avoiding malicious packets. The results of neutrosophic logic-based filtering 
are consistently superior to those of other filtering policies with regard to uncertainty 
connected with packet traffic behavior. Despite their popularity, FPNs have shortcomings 
in the realm of security engineering due to the fact that it is difficult to express many forms 
of uncertainty. 


- Justification 


Our method more accurately represents the ambiguity of a packet’s movement thanks 
to the truth-membership function, the indeterminacy-membership function, and the falsity- 
membership function, which are all realizations of the neutrosophic logic for modelling PN 
(SNPNs) transition objects. 


5. Conclusions 


Firewalls are a crucial part of any secure network infrastructure. In recent years, 
researchers have focused on how to optimize packet filtering. However, new inventive 
approaches are clearly required to help filtering devices such as firewalls keep up with 
increased capabilities for preventing attacks on network traffic. This research offers a novel 
method for optimizing packet filtering in network security rules by using information 
(statistics) about online traffic. We believe that incorporating fuzzy logic control methods 
into existing firewall technology will provide significant improvements. It is the first time 
a neutrosophic Petri net has been used to create and enhance firewall rules. Our firewall 
optimization tool takes into account both rule sets and traffic. A formalism known as 
neutrosophic Petri nets is used to explain the operation of firewall technology in this system. 
To describe, compose, simulate, and analyze firewall systems, SNPNs give us the theoretical 
foundation and tools necessary to do so. The suggested system’s pioneering feature is 
the employment of two levels of neutrosophic reasoning-based filtering appropriate for 
network traffic behavior to manage varying levels of uncertainty connected to packet 
contents, with the goal of improving the security of firewalls and their efficiency via 
rule optimization. 

The prototype implementation of our firewall system indicates that it is suitable for de- 
ployment in real-world networking. Together with previous successes in rule optimization, 
it demonstrates the promise of our research results in enhancing the efficacy of firewalls. 
The findings show that the proposed model successfully distinguishes between genuine 
and malicious packets. When it comes to filtering packet traffic under conditions of uncer- 
tainty, the results from neutrosophic logic-based filtering regularly outperform those of 
conventional filtering methods. Furthermore, after optimizing (reordering), the firewall 
filtering model cut the time it takes for data packets to get through the firewall by about a 
third. Response times become more important as the number of rules increases. 

The subject of whether desired features of firewall systems may be stated as dynamic 
properties and then validated by SNPNs is one that might be explored in the future. 
Furthermore, comparing the present approach with the one based on generalized nets as an 
extension of Petri nets and the intuitionistic fuzzy set approach instead of the neutrosophic 
sets [78-82] might be explored, in addition to making more comparisons with the current 
methods [83-92] to show the efficiency of the proposed system. 
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